Threat intelligence involves collecting and analyzing data to better understand potential cyber threats and vulnerabilities. It provides insights into how attackers operate, allowing organizations to proactively defend against these threats or respond more effectively when incidents occur. It’s used to prioritize vulnerabilities, anticipate attacks, and make data-driven decisions in incident response. By understanding attackers' tactics, techniques, and procedures (TTPs), organizations can better secure their digital assets.
The key to effective threat intelligence is having access to the right tools and knowing how to use them. These tools allow analysts to input various selectors—such as IP addresses, domain names, file hashes, and other indicators of compromise (IOCs)—to gather a wealth of information. Each tool offers unique insights, making them valuable in different aspects of threat detection and analysis. Below is a comprehensive overview of some of the most useful threat intelligence tools, detailing what selectors they accept, and the type of information they provide.
DomainIQ
URL: www.domainiq.com
Selectors: Domain names, IP addresses.
Output: Provides details about domain ownership, hosting data, and other domains operated by the same owner. It helps track relationships between domains, making it easier to understand who might be behind a particular website.
Carbon Date
URL: carbondate.cs.odu.edu
Selectors: URL of the website.
Output: Estimates the earliest known creation date of a webpage by analyzing historical data, offering insights into when a page first appeared online. It can also provide access to archived versions through platforms like archive.org.
ExploitAlert
URL: www.exploitalert.com
Selectors: Exploit names, keywords related to vulnerabilities.
Output: Archives known exploits and provides mitigation strategies, with data going back to 2005. It’s a valuable resource for understanding which vulnerabilities have known patches and how to address them. Users can also integrate the API for real-time monitoring of new exploits.
ThreatMiner
URL: www.threatminer.org
Selectors: Indicators of compromise (IOCs) such as IP addresses, domains, file hashes, malware names.
Output: Provides context for IOCs, helping analysts understand how a specific IOC fits into the broader threat landscape. It enriches data points with information about attack origins, TTPs, and more.
GreyNoise
URL: www.greynoise.io
Selectors: IP addresses.
Output: Identifies IPs involved in scanning or attack activity, classifying their behavior and intent. It speeds up the triage of security alerts by highlighting which IPs are actively malicious or benign. The platform offers integrations with common security products and includes data like JA3 and HASSH fingerprints, web paths, and scan behavior.
Censys
URL: search.censys.io
Selectors: IP addresses, domains, certificates.
Output: Scans the internet for connected devices and services, tracking over 4 billion IPs daily. It helps users find exposed assets, identify potential vulnerabilities, and understand historical data about an infrastructure’s changes or activities over time.
AttackerKB
URL: attackerkb.com
Selectors: Vulnerability IDs, keywords related to vulnerabilities.
Output: Crowdsources insights about vulnerabilities, helping analysts prioritize which threats to address first. It includes real-time discussions and feedback from the community, offering perspectives on which vulnerabilities are critical and which may pose less of a threat.
VirusTotal
Selectors: File hashes (SHA256), URLs, domain names, IP addresses.
Output: Scans files and URLs using over 70 antivirus engines, sharing results to raise awareness of potentially malicious content. It’s a go-to tool for analyzing the reputation and safety of a file or URL, providing scan results that are publicly shared to improve global cybersecurity awareness.
Microsoft Defender Threat Intelligence
URL: www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-threat-intelligence
Selectors: IP addresses, URLs, domains, file hashes.
Output: This threat hunting platform, formerly known as RiskIQ, helps identify and respond to cyber threats by tracking adversary infrastructure. It aids in prioritizing incidents and mapping out potential attack paths used by threat actors.
DomainTools
URL: whois.domaintools.com
Selectors: Domain names, IP addresses.
Output: Provides domain registration history, name server changes, IP location, and other data. It is particularly useful for tracking the evolution of a domain and uncovering hidden connections between online assets.
Whoxy
URL: www.whoxy.com
Selectors: Domain names.
Output: Offers detailed domain ownership history, including changes in registration over time. This helps analysts track how domain ownership shifts, which can be a key indicator of potentially malicious activity.
Host.io
URL: host.io
Selectors: Domain names.
Output: Focuses on backlink analysis, providing insights into which websites are linking to or being linked by the site. It’s a valuable tool for understanding how domains are connected through backlinks and analyzing website relationships.
DNSdumpster
URL: dnsdumpster.com
Selectors: Domain names.
Output: Maps out subdomains and associated DNS records, helping analysts understand the full scope of an organization's online presence and potential attack surface.
Shodan
URL: www.shodan.io
Selectors: IP addresses, device types, protocols.
Output: Identifies internet-connected devices and their vulnerabilities, providing details about open ports, services, and geographic locations. It’s an essential tool for asset discovery and vulnerability assessment.
OSINT Framework
URL: osintframework.com
Offers a directory of OSINT tools and resources, guiding users to the right service or platform for a given data point. It’s a useful starting point for any investigation.
Abuse.ch Platforms
Malware Bazaar:
URL: bazaar.abuse.ch
Selectors: Malware SHA256 file hashes, uploaded malware samples.
Output: A repository for searching known malware or uploading new samples, providing detailed information about specific malware.
Feodo Tracker:
URL: feodotracker.abuse.ch
Selectors: IP addresses, AS numbers, network names.
Output: Tracks malicious IPs associated with Feodo malware, offering a way to identify known bad actors.
SSL Blacklist:
URL: sslbl.abuse.ch
Selectors: SSL certificates.
Output: Lists SSL certificates used by malware, aiding in identifying compromised sites.
URL Haus:
URL: urlhaus.abuse.ch
Selectors: URLs.
Output: Database of known malicious URLs, useful for blocking harmful sites or understanding the behavior of a particular URL.
Threat Fox:
URL: threatfox.abuse.ch
Selectors: IP addresses, domains, other indicators.
Output: Provides data on malicious indicators, helping analysts identify and track various threats.
UrlScan.io
URL: urlscan.io
Selectors: URLs.
Output: Scans websites for malicious content and provides detailed reports on their structure and connections, making it easier to identify potentially harmful behaviors.
Cisco Talos Intelligence
URL: talosintelligence.com
Selectors: IP addresses, URLs, domains, network owners, file hashes (SHA256).
Output: Provides in-depth information about threat activity, helping users understand and respond to emerging cybersecurity risks. It’s a comprehensive platform for tracking and analyzing threats.
These tools form the backbone of modern threat intelligence. By understanding which selectors they accept and the information they provide, analysts can quickly gather critical data and trace malicious activities back to their source. This knowledge allows investigators to build a comprehensive picture of the threat landscape, providing crucial insights that help protect organizations from evolving cyber risks.